xloader_apk | 4bb553f03d5a0eacb37897ca55de9f28041fa8aed77c10791510aa1980cee6e1 | Triage

Resubmissions

10-09-2024 08:13

240910-j4mxxatepp 6

07-09-2024 22:04

240907-1y1p9axfrn 10

Sharing

General

Target

4bb553f03d5a0eacb37897ca55de9f28041fa8aed77c10791510aa1980cee6e1.bin
Size

208KB
Sample

240907-1y1p9axfrn
MD5

040ed432e4f593758560eb66f5a8ecb2
SHA1

f9cec59582a9395e921d80248020eb050273754b
SHA256

4bb553f03d5a0eacb37897ca55de9f28041fa8aed77c10791510aa1980cee6e1
SHA512

69644f0d8e25ba874de6b3ae2843f3f077675b1898f4617f044a4b947433364c90b1e1d5c59775ba2a50ee6bec69be58fe9655030b0c8c44d10d08c47f786711
SSDEEP

3072:sE7PCaH4o51AsAAQEmYVhEqVIweuIqKZMTC2OdDPF6G5HTajAKUmrWUV3neRfa0S:s+PCa9nqAvK9MhaF6GFZqheciQZD

Score

10^/10

xloader_apk android banker collection discovery evasion impact infostealer persistence trojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.39:28844

DES_key

Targets

- Target
  
  4bb553f03d5a0eacb37897ca55de9f28041fa8aed77c10791510aa1980cee6e1.bin
- Size
  
  208KB
- MD5
  
  040ed432e4f593758560eb66f5a8ecb2
- SHA1
  
  f9cec59582a9395e921d80248020eb050273754b
- SHA256
  
  4bb553f03d5a0eacb37897ca55de9f28041fa8aed77c10791510aa1980cee6e1
- SHA512
  
  69644f0d8e25ba874de6b3ae2843f3f077675b1898f4617f044a4b947433364c90b1e1d5c59775ba2a50ee6bec69be58fe9655030b0c8c44d10d08c47f786711
- SSDEEP
  
  3072:sE7PCaH4o51AsAAQEmYVhEqVIweuIqKZMTC2OdDPF6G5HTajAKUmrWUV3neRfa0S:s+PCa9nqAvK9MhaF6GFZqheciQZD
Score

10^/10

xloader_apk banker collection discovery evasion impact infostealer persistence trojan
- XLoader payload
- XLoader, MoqHao
  An Android banker and info stealer.
  trojan infostealer banker xloader_apk
- Checks if the Android device is rooted.
  evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Reads the content of the MMS message.
  collection
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Requests changing the default SMS application.
  collection impact
behavioral1

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Foreground Persistence

Credential Access

Discovery

Software Discovery

Security Software Discovery

System Information Discovery

System Network Configuration Discovery

Lateral Movement

Collection

Protected User Data

SMS Messages

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

SMS Control

Tasks

static1

behavioral1

xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencetrojan